Shorewall users - Jan 2013 - :interface not optional in rules file after upgrading

We don''t upgrade very often, today I''m going from 4.4.25.2 to
4.5.11.2. I''ve upgraded and am working through the "shorewall
check"
to ensure that our configs are compatible and fixing any changes. I''ve
been through the docs and upgrade notes several times on this one.

We have a single-interface firewall which is used to protect the
firewall host only i.e. a host-based firewall. This is in use on about
600 servers.

interfaces:
-	enet		physical=+

hosts:
net	enet:0.0.0.0/0
uw	enet:$N_ALL_UW_AFFILIATED

zones:
host	firewall
uw	ipv4
net	ipv4


This is the typical format of a rule in the rules file (included by a
SHELL directive):
ACCEPT		uw:homer.u.washington.edu	host	22

After upgrading to 4.5.11.2 and running shorewall check I get this error:
 ERROR: Unknown Interface (homer.u.washington.edu)
SHELL@/etc/shorewall/rules:17 (line 96)
      from /etc/shorewall/rules (line 17)

This can be fixed by adding the interface name like this:
ACCEPT		uw:enet:ref.cac.washington.edu	host	22

Yet the docs imply that the interface is optional (by showing it in
square brackets) as it always has in the past:

SOURCE -
{zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}

I don''t really want to go through all our rules to add this and try to
retrain all my people to remember to put it in since it''s supposed to
be optional. Did I not not read some recent change that made this
non-optional? Or are there config elements that now cause it to be
required?

Thanks,

-Eric

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912

On 1/11/13 4:47 PM, Eric Horst wrote:
> We don''t upgrade very often, today I''m going from
4.4.25.2 to
> 4.5.11.2. I''ve upgraded and am working through the "shorewall
check"
> to ensure that our configs are compatible and fixing any changes.
I''ve
> been through the docs and upgrade notes several times on this one.
> 
> We have a single-interface firewall which is used to protect the
> firewall host only i.e. a host-based firewall. This is in use on about
> 600 servers.
> 
> interfaces:
> -	enet		physical=+
> 
> hosts:
> net	enet:0.0.0.0/0
> uw	enet:$N_ALL_UW_AFFILIATED
> 
> zones:
> host	firewall
> uw	ipv4
> net	ipv4
> 
> 
> This is the typical format of a rule in the rules file (included by a
> SHELL directive):
> ACCEPT		uw:homer.u.washington.edu	host	22
> 
> After upgrading to 4.5.11.2 and running shorewall check I get this error:
>  ERROR: Unknown Interface (homer.u.washington.edu)
> SHELL@/etc/shorewall/rules:17 (line 96)
>       from /etc/shorewall/rules (line 17)
> 
> This can be fixed by adding the interface name like this:
> ACCEPT		uw:enet:ref.cac.washington.edu	host	22
> 
> Yet the docs imply that the interface is optional (by showing it in
> square brackets) as it always has in the past:
> 
> SOURCE -
{zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
> 
> I don''t really want to go through all our rules to add this and
try to
> retrain all my people to remember to put it in since it''s supposed
to
> be optional. Did I not not read some recent change that made this
> non-optional? Or are there config elements that now cause it to be
> required?
Here''s a patch that will also be in 4.5.12.

Regards,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912